API key

What is an API key

It is a password. A long one, impossible to guess, that identifies your application when it calls an API.

When you sign up for Anthropic's API, they give you a string of characters — something like `sk-ant-api03-...`. Every time your application calls the API, it sends that string in the request header. Anthropic sees it, confirms it belongs to a valid account, and processes the request. Usage gets billed to your account.

That is it. A password that travels with every request, so the server knows who is asking and who to charge.

Why this matters to you

An API key is not just authentication. It is money.

If someone gets your API key, they can make requests that bill to your account. There is no additional login, no two-factor prompt, no confirmation email. They have the key. They use it. You pay.

This is not hypothetical. Leaked API keys are one of the most common ways developers incur unexpected charges. They paste the key directly into code, push the code to a public GitHub repository, and within hours automated bots scanning GitHub for API keys find it and start using it.

The charge that arrives after that is real. Providers vary on how much they will refund.

How to handle this correctly

Never put an API key directly in your code. Store it as an environment variable. Your code reads the variable — it never contains the key itself.

In a `.env` file: `ANTHROPIC_API_KEY=sk-ant-api03-...` In your code: `process.env.ANTHROPIC_API_KEY`

Add `.env` to your `.gitignore` before your first commit. Not after.

If you have already committed a key to a public repository: rotate it immediately. Generate a new one in your provider's dashboard. The old one is compromised the moment it was public, regardless of whether you have seen it used.

Verified March 2026 · Source: Anthropic API documentation